On Wed, Jul 23, 2003 at 03:15:55AM -0500, Luca - De Whiskey's - De Vitis wrote:
> On Tue, Jul 22, 2003 at 06:36:06PM -0400, Matt Zimmerman wrote:
> > > I've some questions for you, first. Would you mind, please, to
> > > explain to me why back-porting a patch for a buggy package in stable
> > > would be better than releasing a new package for the
> > > stable distribution?
> >
> > Do you mind taking this discussion to a public mailing list so that I don't
> > have to explain over and over?
>
> The kind of patch we were talking about was for a security fix. I was asking
> this question to Matt because the new package i'd like to release for stable
> also fixes many other bugs.
>
> I'm sorry if some of you might think this question to be dumb or stupid, but
> it's not obvious to me.
>
> Please, please, please: no reference/flame about releasing new stable
> distribution more often. That would not be the point.
>
> ciao,
> P.S.: Matt, if you felt this question to be common, it might be worthy to add
> some/your explanations to the developers-reference too.
This is already in the security team FAQ, and in the developers reference in
section "5.8.5.3 Preparing packages to address security issues", but
apparently it requires further explanation, because this issue comes up from
time to time. I will expand the developer's reference more when I get a
chance. The main points are:
- Security advisories and the associated packages should fix security
vulnerabilities and nothing else. It is irresponsible to "sneak in"
additional changes or try to use a security vulnerability as an excuse to
bypass the normal process for updating a package in stable to fix other
bugs.
- If your package is so buggy in stable that it is useless, you should have
made an upload to proposed-updates a long time ago. Don't wait for a
security advisory and try to use that to get random bug fixes in. They
will not be accepted as part of a security update.
--
- mdz